• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

HTTPS sessions active for Tier 2 subscribers

Recommended Posts

+BudMan    3,537

Ok other than changing the http to https for the post, they also need to looking to the chain issue I linked too before in the thread - or you going to have issues with firefox users even logging in via https

---

www.neowin.net uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

(Error code: sec_error_unknown_issuer)

---

They need to load up the intermediate CA bundle I linked too before on their web servers.

Share this post


Link to post
Share on other sites
+theblazingangel    137

There was a thread a long time ago about the login posting being in clear text.. If I recall back then it was mentioned that it would be fixed when ssl was setup.

Well it seems that have setup ssl.. There is no need to encrypt the whole site.. sorry but I don't need my viewing of news articles or forum post to be encrypted. Nor do I need the stuff I am sending in a post that will be public encrypted.

What I would like is my password not to be sent in clear text. They have the ssl in place, all they need to do is change the posting from http to https and we are all good.

They can still require that you be a sub if you want the whole site via https, ads or no ads. But changing http to https in the post string for your login seems like a no brainer if the ssl cert has already been paid for and active.

Currently even if viewing the site view https, when I go to login the post in the html command is vis http.. So going to be sent in clear - even if everything else your viewing is via https -- the actual post of the username and password is still only http..

edit: For those that do not understand the issue. No your pc does not have to be compromised for someone to sniff your username and password.. So example your on a wireless network, anyone on that wireless network could see your traffic so could see your neowin username and password.

Now could they just hijack your cookie and auth as you that way - possible have not looked into the issue that deep, nor do I care too.

At any point between your PC and the neowin server it would be possible to see this traffic in the clear and get your username and password. I doubt that it is of much concern, but come on the ssl is there -- just change the post to https and this can discussion is over.

Even if your viewing gmail over http, when you go to login the post is https

  <form novalidate id="gaia_loginform" action="https://accounts.google.com/ServiceLoginAuth" method="post">
<form action="http://www.neowin.net/forum/index.php?app=core&module=global&section=login&do=process" method="post" id='login'>
Simple change of a couple lines of code to https vs http and issue goes away now that they have ssl in place.
Yes you do! The only reason to only care about hiding the login credentials is if you're reusing those same credentials for other things, something you shouldn't do and I wouldn't think you yourself would do. If you care about keeping other people out of your account here then you should care about all connections being encrypted.

The "persistent login" mechanism is simple. The server creates a "session" for you (a data storage container, usually a file) and sends a copy of the session's identifier to your browser in a "session" cookie. Upon successful authentication an identifier of which user account you authenticated against is stored in the session (and the session ID changed for security reasons). A copy of this cookie is sent with every request you send to the server, allowing you to be identified. The session is only destroyed if you actually logout or otherwise if it expires due to lack of activity. Anyone accessing your network traffic can capture the session cookie and impersonate you on the site.

Resources such as JavaScript files should also be fetched over HTTPS, partly in order to protect the session cookie, sent with such requests, and partly to prevent an attacker from modifying such code (perhaps to execute actions on your account,

to monitor what you're doing / capture your login credentials, or to exploit a vulnerability in your browser and therefore attack your computer).

  • Like 1

Share this post


Link to post
Share on other sites
+BudMan    3,537

"Yes you do!"

Yes I do care about other ways to hijack an authenticated session, but was outside the scope of the point I was trying to make, when I saw that ssl announcement. I recalled the past thread about sending password via http would be corrected when ssl came online.

So SSL is online, but password is still being sent over http was my point.

Once the username and passwords are sent over https, then be happy to join a thread that discusses other ways that might make it possible to hijack a users session on neowin. And ways to prevent that, etc.

So from this past thread, and these two posts.

http://www.neowin.net/forum/topic/1138606-neowin-login-not-secure/?view=findpost&p=595544858

http://www.neowin.net/forum/topic/1138606-neowin-login-not-secure/?view=findpost&p=595544882

It was pretty clear that login would be via ssl when it was available. I was not meaning discuss all the possible ways that a users session to a site might be compromised or gotten, etc.

I had even mentioned in that thread that maybe it could be for sub only ;)

 

edit: Maybe the whole site https option could be an option for subscribers only, etc. This might get a few more to join that rank and help neowin offset any added cost in such an implementation?

But lets take baby steps here.. Now that there is ssl, lets fix the firefox issue, and send the password over the ssl. Then if someone else wants to discuss overall security of the authentication process used on neowin, happy to join in ;)

A just want to make it clear, I am not saying neowin has to do anything.. Not like I stopped using neowin after I discovered passwords were not over https, and I don't recall of ever hearing any issues about neowin accounts being hijacked, etc.. And no this isn't bank site, etc. I really don't want to start up those sort of posts again.. Just simple question -- I should of prob made my comments in the mvc section vs in the announcement thread.. Oh well..

Share this post


Link to post
Share on other sites
tiagosilva29    952

BudMan, BudMan, BudMan, can't you see...?

Sometimes your words just hypnotize me.

And I just love your flashy ways.

Guess that's why they broke, and you're so paid!

f3yDDdT.gif

  • Like 4

Share this post


Link to post
Share on other sites
theyarecomingforyou    10,425

people going on about passwords. Really? Is your neowin password really that precious and worth donating $25 a year to protect?

Passwords should never be transmitted in plain text. I don't understand how you can't see the issue with it, especially when you know that most people won't use a unique password.

  • Like 1

Share this post


Link to post
Share on other sites
Ambroos    801

Even for subscribers passwords will be transmitted in plain-text since HTTPS can't be activated before logging in.

 

Seriously server guys, make the login target be HTTPS. Should only take a few minutes to change it. It already works if I do it manually in the Chrome dev tools.

  • Like 3

Share this post


Link to post
Share on other sites
Haggis    1,008

Even for subscribers passwords will be transmitted in plain-text since HTTPS can't be activated before logging in.

 

Seriously server guys, make the login target be HTTPS. Should only take a few minutes to change it. It already works if I do it manually in the Chrome dev tools.

 

 

No Answer to this? Its a Lgeitimate and great request

  • Like 2

Share this post


Link to post
Share on other sites
Redmak    353

https login enabled (forum only atm, I will change the main page login asap)

 

Installed intermediate CA's (thanks BudMan)

  • Like 13

Share this post


Link to post
Share on other sites
+BudMan    3,537

Quick test, shows your chain problem gone with firefox. And sniff of a login shows no cleartext.

Sweet.. As always neowin follows through, thanks guys!

  • Like 10

Share this post


Link to post
Share on other sites
funkydude    83

https login enabled (forum only atm, I will change the main page login asap)

 

Installed intermediate CA's (thanks BudMan)

 

 

Could you also correct the order of your cipher suites? Your current setup means there is no forward secrecy for IE users, meanwhile other browsers are being forced inferior suites: https://www.ssllabs.com/ssltest/analyze.html?d=www.neowin.net&s=74.204.71.246

 

 

Brilliant explanation of how to go about this is here: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

Share this post


Link to post
Share on other sites
123456789A    4,710

It's not a good idea to send passwords in plain text. At least send them in Word format.

  • Like 6

Share this post


Link to post
Share on other sites
+BudMan    3,537

Why just FS, Let's get some PFS going (Perfect Forward Secrecy)

Its a bit confusing why www.neowin.net is a cname for neowin.net, but the certs common name is www.neowin.net with no alternative of just neowin.net ?

Doesn't really matter until you start playing with certs.. But now for example you hit just https://neowin.net you get error about the cert. They could add alternative name to the cert, but not sure which one they purchased.. if just a DV, I don't think thawte provides that as addon feature?

They could work on beast attack mitigation as well ;) And should really allow for session resumption..

But hey its much better than before..

Share this post


Link to post
Share on other sites
Ambroos    801

https login enabled (forum only atm, I will change the main page login asap)

 

Installed intermediate CA's (thanks BudMan)

Thanks ^^

Share this post


Link to post
Share on other sites
Haggis    1,008

https login enabled (forum only atm, I will change the main page login asap)

 

Installed intermediate CA's (thanks BudMan)

 

 

Awesome Redmak, as said before Neowin comes up on top again :)

Share this post


Link to post
Share on other sites
DaveLegg    1,000

Why just FS, Let's get some PFS going (Perfect Forward Secrecy)

Its a bit confusing why www.neowin.net is a cname for neowin.net, but the certs common name is www.neowin.net with no alternative of just neowin.net ?

Doesn't really matter until you start playing with certs.. But now for example you hit just https://neowin.net you get error about the cert. They could add alternative name to the cert, but not sure which one they purchased.. if just a DV, I don't think thawte provides that as addon feature?

They could work on beast attack mitigation as well ;) And should really allow for session resumption..

But hey its much better than before..

We redirect neowin.net to www.neowin.net, sounds like that automatic redirect is missing from the https version, that's all.

Share this post


Link to post
Share on other sites
fobban    23

Login page should've had SSL 10 years ago.

 

Edit: Can see the login page having it now. Great!

Share this post


Link to post
Share on other sites
+Red King    2,466

So, is there a way to make the site redirect me to https when I am on http ?

Share this post


Link to post
Share on other sites
+BudMan    3,537

"We redirect neowin.net to www.neowin.net"

yes you do..

budman@ubuntu:/tmp$ wget http://neowin.net

--2013-08-18 14:49:03-- http://neowin.net/

Resolving neowin.net (neowin.net)... 74.204.71.247, 74.204.71.246, 74.204.71.245

Connecting to neowin.net (neowin.net)|74.204.71.247|:80... connected.

HTTP request sent, awaiting response... 301 Moved Permanently

Location: http://www.neowin.net/ [following]

--2013-08-18 14:49:03-- http://www.neowin.net/

But here is my point about https

budman@ubuntu:/tmp$ wget https://neowin.net

--2013-08-18 14:50:00-- https://neowin.net/

Resolving neowin.net (neowin.net)... 74.204.71.246, 74.204.71.245, 74.204.71.247

Connecting to neowin.net (neowin.net)|74.204.71.246|:443... connected.

ERROR: no certificate subject alternative name matches requested host name ?neowin.net?.

To connect to neowin.net insecurely, use `--no-check-certificate'.

You can not solve the issue with a redirect in https, since you have to setup your connection before you could ever be redirected, and certain things have to match to create that connection without warning.

It's not a big deal -- just one of the fun aspects of working with certs.. The joys of technology, serving up SSL/TLS is a thing unto itself ;)

The first steps have been made, as neowin staff becomes more familiar with the peculiarities of working with https I am sure things will progress... When you score an A, we can have a party https://www.ssllabs.com/ssltest/ But the current B gets the job done.

Share this post


Link to post
Share on other sites
The_Decryptor    1,105

Currently the only way to get an A on that test (while doing TLS 1.0) is to use RC4, which is insecure. In reality using AES CBC should be fine even with TLS 1.0 (Most clients work around BEAST, Apple being a holdout), but the ultimate solution is to use AES CBC with TLS 1.1, or AES GCM with TLS 1.2 (Which rules out like 80% of browsers)

But hey, IE 11, Chrome 29 and apparently Safari support TLS 1.1/1.2 fully (Firefox supports it, but not entirely, so it's still disabled), so it's not that far off.

Edit: Upside of AES GCM is that it's stupidly fast on Intel hardware made in the last couple of years.

Share this post


Link to post
Share on other sites
Sandor    436

It always amazes me when people complain about how someone else runs THEIR free service.  

How about contributing to the sites monetary needs if you have such a problem with it? You may provide support to others for free, but to feed the monster they need virgin blood and that ****s expensive and can't be paid for with computer advice.

Neobond explained why it's not available to everyone, quit your bitchin...

Missing the obvious that the site is precisely nothing without its users.

Share this post


Link to post
Share on other sites
Sandor    436

It's not a good idea to send passwords in plain text. At least send them in Word format.

top-lel.com

Share this post


Link to post
Share on other sites
rr_dRock    227

Missing the obvious that the site is precisely nothing without its users.

 

Okay? What's your point?

That doesn't negate the fact that the site needs money to run, and certificates cost money, and the fact that it's an extra incentive to subscribe. Again, if you don't like viewing the site without SSL, subscribe. If you don't have the measly ~$20 a year, then perhaps you need to get off the internet, and find a better job instead of wasting your time posting nonsense.

I agree about the login issue (which I believe was fixed? don't quote me), but it's not necessary to give a costly (well... it costs money) service to people for free to keep the site alive, as most people really don't give a ######.

Share this post


Link to post
Share on other sites
funkydude    83

Could you also correct the order of your cipher suites? Your current setup means there is no forward secrecy for IE users, meanwhile other browsers are being forced inferior suites: https://www.ssllabs.com/ssltest/analyze.html?d=www.neowin.net&s=74.204.71.246

 

 

Brilliant explanation of how to go about this is here: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

 

Has this been ignored? Admins?

 

 

Currently the only way to get an A on that test (while doing TLS 1.0) is to use RC4, which is insecure. In reality using AES CBC should be fine even with TLS 1.0 (Most clients work around BEAST, Apple being a holdout), but the ultimate solution is to use AES CBC with TLS 1.1, or AES GCM with TLS 1.2 (Which rules out like 80% of browsers)

But hey, IE 11, Chrome 29 and apparently Safari support TLS 1.1/1.2 fully (Firefox supports it, but not entirely, so it's still disabled), so it's not that far off.

Edit: Upside of AES GCM is that it's stupidly fast on Intel hardware made in the last couple of years.

 

Indeed, but that is also explained in his blog entry linked above.

Once all the browsers support TLS 1.2 he will probably remove the grade reduction when TLS 1.1/1.2 support is detected, as they are not affected by the BEAST attack.

 

In other words, you can ignore that it got a B and not an A as TLS 1.1/1.2 is supported.

Share this post


Link to post
Share on other sites
Sandor    436

Okay? What's your point?

That doesn't negate the fact that the site needs money to run, and certificates cost money, and the fact that it's an extra incentive to subscribe. Again, if you don't like viewing the site without SSL, subscribe. If you don't have the measly ~$20 a year, then perhaps you need to get off the internet, and find a better job instead of wasting your time posting nonsense.

I agree about the login issue (which I believe was fixed? don't quote me), but it's not necessary to give a costly (well... it costs money) service to people for free to keep the site alive, as most people really don't give a ****.

If I followed that advice for every site I visit I'd be paying out a fortune.

 

The site already advertises to each of us to make money.

 

How much do you think it costs to implement SSL on a site by the way? You might be in for a shock.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.